Back

Establish, implement, and maintain physical security controls for distributed assets.


CONTROL ID
00718
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a physical security program., CC ID: 11757

This Control has the following implementation support Control(s):
  • Control the transiting and internal distribution or external distribution of assets., CC ID: 00963
  • Restrict physical access to distributed assets., CC ID: 11865
  • Protect physical assets with earthquake-resistant mechanisms., CC ID: 06360
  • Establish, implement, and maintain a media protection policy., CC ID: 14029
  • Establish, implement, and maintain removable storage media controls., CC ID: 06680
  • Protect distributed assets against theft., CC ID: 06799
  • Establish, implement, and maintain end user computing device security guidelines., CC ID: 00719
  • Establish, implement, and maintain a mobile device management program., CC ID: 15212
  • Establish, implement, and maintain mobile device security guidelines., CC ID: 04723
  • Remove dormant systems from the network, as necessary., CC ID: 13727
  • Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls., CC ID: 00722
  • Secure system components from unauthorized viewing., CC ID: 01437
  • Establish, implement, and maintain asset return procedures., CC ID: 04537
  • Prohibit the use of recording devices near restricted data or restricted information, absent authorization., CC ID: 04598
  • Establish, implement, and maintain open storage container procedures., CC ID: 02198
  • Establish, implement, and maintain a clean desk policy., CC ID: 06534
  • Establish, implement, and maintain a clear screen policy., CC ID: 12436
  • Establish, implement, and maintain contact card reader security guidelines., CC ID: 06588
  • Establish, implement, and maintain contactless card reader security guidelines., CC ID: 06589
  • Establish, implement, and maintain Personal Identification Number input device security guidelines., CC ID: 06590
  • Identify customer property within the organizational facility., CC ID: 06612
  • Prohibit the unauthorized remote activation of collaborative computing devices., CC ID: 06768
  • Provide a physical disconnect of collaborative computing devices in a way that supports ease of use., CC ID: 06769
  • Indicate the active use of collaborative computing devices to users physically present at the device., CC ID: 10647
  • Provide storage media shelving capable of bearing all potential loads., CC ID: 11400


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should identify the locations within and outside their premises (including service providers) where their customer data are stored or can be accessed. They should satisfy themselves that adequate physical security (including physical access controls, security guards and surveillance cameras) is … (Annex G. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • In principle, AIs should require staff members to use only the computing devices provided by AIs for storing or accessing AIs' customer data. Alternatively, AIs should fully comply with the standard of stringent minimum controls developed by the Hong Kong Association of Banks (HKAB) on Bring-Your-Ow… (Annex F. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Physical security measures should be in place to protect computer facilities and equipment from damage or unauthorized access. Critical information processing facilities should be housed in secure areas such as data centres and network equipment rooms with appropriate security barriers and entry con… (3.6.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The organization shall define and implement management methods to prevent the unauthorized use, theft, and breakage of computer system devices. (O57, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Give due consideration to proper layout of equipment, such as installing production machines and backup machines separately in order to minimize the downtime of major systems and restore normal operation to the major systems in the possible fastest time, since it takes much time to restore any water… (F39.4. ¶ 1(2) ¶ 1 3), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Secure location of critical assets providing protection from natural and man-made threats (Critical components of information security 8) (iii) Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Additional physical protection of equipment used to generate, store and archive cryptographic keys (Critical components of information security 14) (iv) a., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should ensure that security controls are implemented at payment card systems and networks. (§ 13.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should deploy security systems and surveillance tools, where appropriate, to monitor and record activities that take place within the DC. The FI should establish physical security measures to prevent unauthorised access to systems, equipment racks and tapes. (§ 10.2.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should ensure that information processed, stored or transmitted between the FI and its customers is accurate, reliable and complete. With internet connection to internal networks, financial systems and devices may now be potentially accessed by anyone from anywhere at any time. The FI should … (§ 12.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access. (Security Control: 1296; Revision: 2, Australian Government Information Security Manual, March 2021)
  • ICT equipment and media are secured when not in use. (Security Control: 0161; Revision: 5, Australian Government Information Security Manual, March 2021)
  • ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility. (Security Control: 0250; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Physical security is implemented to protect network devices in public areas from physical damage or unauthorised access. (Control: ISM-1296; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their sensitivity or classification taking into account the combination of security zones they reside in. (Control: ISM-1530; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Physical security is implemented to protect network devices in public areas from physical damage or unauthorised access. (Control: ISM-1296; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their classification taking into account the combination of security zones they reside in. (Control: ISM-1530; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Physical protection must be furnished to adequately protect network devices, especially ones located in public areas. (Control: 1296, Australian Government Information Security Manual: Controls)
  • The organization should ensure Multi-Function Devices and fax machines are located in an area where they can be observed when being used. (Control:1036, Australian Government Information Security Manual: Controls)
  • The organization must ensure classified media or sensitive media is protected in accordance with the minimum physical security storage requirements of the australian government protective security policy framework. (Control: 0338, Australian Government Information Security Manual: Controls)
  • The organization must configure, harden, and secure web servers. (Control: 1242, Australian Government Information Security Manual: Controls)
  • The organization must ensure gateways that connect networks from different security domains are operated and maintained by protecting them with authentication, logging, and auditing of all physical access to gateway components. (Control: 0634 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization should implement additional physical controls to protect the equipment used to generate, store, and archive the cryptographic keys. (Attach F ¶ 6(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • APRA expects that a regulated institution would seek regular assurance that IT assets are appropriately secured and that its IT security risk management framework is effective. This would normally be executed through a formal program of work that facilitates a systematic assessment of the IT securit… (¶ 80, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • additional physical protection of equipment used to generate, store and archive cryptographic keys; (Attachment F ¶ 6(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Measures should be implemented to ensure equipment is protected from theft, damage, and unauthorized access. Servers and communications equipment should be separated from general user areas by a clearly defined perimeter. (§ 3.1.7, § 3.1.17, § 3.1.34, § 3.10.50, Australian Government ICT Security Manual (ACSI 33))
  • put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of ICT risk, including for the protection of relevant physical components and infrastructures; (Art. 16.1. ¶ 2(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Preventing unauthorised physical site access and protection against theft, damage, loss and failure of operations. (Section 5.5 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • The requirements for the handling of supporting assets (e.g. transport, storage, repair, loss, return, disposal) are determined and fulfilled. (3.1.3 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • The defined protective measures are implemented. (3.1.1 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • The organization must verify that all locations storing information and system assets, including cryptographic items, have an appropriate level of physical security. (Mandatory Requirement 47, HMG Security Policy Framework, Version 6.0 May 2011)
  • App 2 ¶ 14.a: For IT systems that process and access restricted information, the system must strictly control physical access to all hardware elements. This is applicable to UK contractors. App 6 ¶ 15.a: For IT systems that process and access UK restricted information, the system must strictly con… (App 2 ¶ 14.a, App 6 ¶ 15.a, The Contractual process, Version 5.0 October 2010)
  • Encryption technologies and physical (hardware) device protections are used for peripherals and removable data storage media (such as remote printers that store system-generated data, USB ports, drives, remote USB storage devices and data back-up media), as appropriate. (S7.3 Protects removable media, Privacy Management Framework, Updated March 1, 2020)
  • Are physical parameters and security measures implemented? (Table Row II.41, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Has the organization implemented adequate security around the global positioning satellite receivers? (Table Row XIII.29, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Physical access to the computer should be protected. Only personnel needing access to the computer should be admitted to the room. If the computer is located in an open area, it should be bolted to a wall or heavy furniture, or it should be locked in a secure container when not in use. Printers shou… (Pg 31, Pg 82, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • If the server can be physically accessed, many security precautions can be overridden. The server should be located where the keyboard, mouse, and ports cannot be accessed without proper authorization. (§ 1.1, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • Wireless network devices should be physically secured or protected by an alarm to ensure they cannot be tampered with or stolen. (§ 2.2 (2.2.025), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Physical security should minimize the potential of unauthorized access, the loss of data, or willful or accidental damage by personnel. (¶ 19.7, Good Practices For Computerized systems In Regulated GXP Environments)
  • Establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets, such as special forms, negotiable instruments, special purpose printers or security tokens. (DS13.4 Sensitive Documents and Output Devices, CobiT, Version 4.1)
  • How is physical media inventoried, secured, monitored, and tracked? (Appendix D, Implement Strong Access Control Measures Bullet 16, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Verify that physical access to Wireless Access Points, gateways, and handheld devices is appropriately restricted. (§ 9.1.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify physical access to Wireless Access Points, handheld devices, telecommunications lines, gateways, networking hardware, and communications hardware is restricted. (Testing Procedures § 9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must restrict physical access to gateways and wireless access points. (§ 9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that physical access to wireless access points, gateways, and handheld devices is appropriately restricted. (§ 9.1.3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Restrict physical access to cardholder data. (§ 9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Physical access to Wireless Access Points, handheld devices, telecommunications lines, gateways, networking hardware, and communications hardware must be restricted. (PCI DSS Requirements § 9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Devices that capture payment card data by a direct physical interaction with the card must be protected against tampering and substitution. (Note: this is a Best Practice and becomes a requirement after june 30, 2015.). (PCI DSS Requirements § 9.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Restrict physical access to cardholder data. (PCI DSS Requirements § 9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • An organization must require that wireless devices be labeled with owner, contact information and purpose. (§ 4.6.1.D, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • The merchant is responsible for ensuring the integrity and security of the mobile device and its secure storage when not in use (e.g., locked in a cabinet, tethered to a counter or under 24-hour surveillance). (¶ 5.1.1, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Mobile device management should be reviewed by the IT auditor and he/she should, at a minimum, consider the process to identify lost or stolen devices and terminating their service. (App A.2, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization should ensure a program has been implemented to protect all information systems equipment, networks, and the information stored and processed on the equipment. Physical controls must be used to protect the server against unauthorized access. (Pg 1-I-A2, Pg 12-II-19, Pg 12-II-45, Protection of Assets Manual, ASIS International)
  • Information associated with office equipment shall be protected against physical access and tampering by restricting access to Universal serial bus ports. (CF.12.03.03b, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected against theft or copying by restricting physical access to important office equipment (e.g., network printers, photocopiers, facsimile machines, scanners, and multifunction devices). (CF.03.03.03b-3, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected against theft or copying by locating equipment used for sensitive printed material in secure physical areas. (CF.03.03.03c, The Standard of Good Practice for Information Security)
  • Information associated with office equipment shall be protected against physical access and tampering by restricting access to Universal serial bus ports. (CF.12.03.03b, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected against theft or copying by restricting physical access to important office equipment (e.g., network printers, photocopiers, facsimile machines, scanners, and multifunction devices). (CF.03.03.03b-3, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected against theft or copying by locating equipment used for sensitive printed material in secure physical areas. (CF.03.03.03c, The Standard of Good Practice for Information Security, 2013)
  • Physical security perimeters (fences, walls, barriers, guards, gates, Electronic Surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard sensitive data and Information Systems. (FS-03, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Authentication tools shall be resistant to attacks. (§ 4.4.2 ¶ 1, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • Authentication tools shall be tamper resistant and/or be able to react to physical tampering attempts. (§ 4.4.3, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • ¶ 8.1.7(1) Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building… (¶ 8.1.7(1), ¶ 10.2.9, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • A policy should be developed for the clearing off of information from desks and computer screens when the user is not present. This will reduce the risk of unauthorized access and the loss of or damage to information. (§ 11.3.3, ISO 27002 Code of practice for information security management, 2005)
  • safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results. (7.1.5.2 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Equipment should be sited securely and protected. (§ 7.8 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Processes and controls are in place to protect endpoint devices (such as mobile devices, laptops, desktops, and sensors). (CC6.7 ¶ 2 Bullet 4 Protects Endpoint Devices, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization manages and protects physical access to information assets (e.g., session lockout, physical control of server rooms). (PR.AC-2.1, CRI Profile, v1.2)
  • Physical access to assets is managed and protected. (PR.AC-2, CRI Profile, v1.2)
  • The organization manages and protects physical access to information assets (e.g., session lockout, physical control of server rooms). (PR.AC-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]. (PE-3(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), i… (Section 2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that p… (Attachment 1 Section 2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Is there a physical security program? (§ F.1, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • There should be physical controls in place to prevent unauthorized modification to, destruction of, or disclosure of software, documentation, and data and to prevent unauthorized modification to or destruction of hardware. The protection level should be commensurate with the information sensitivity … (§ 2-3.a(4), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The security manager must ensure that all required physical security controls to protect Information Systems and hardware devices, which includes facility procedures, security marking procedures, and handling procedures comply with the Defense Information Systems Agency traditional security checklis… (§ 3.5.1 ¶ AC35.025, DISA Access Control STIG, Version 2, Release 3)
  • The security manager must ensure that all of the implemented physical security controls that are used to protect Information Systems and hardware devices comply with the Defense Information Systems Agency traditional security checklist. (§ 3.5.6 ¶ AC35.025, DISA Access Control STIG, Version 2, Release 3)
  • The information assurance officer must ensure the physical connection between the capture device and the comparator and the comparator and the portal of the biometric system are adequately secured. (§ 4.8 ¶ BIO7030, DISA Access Control STIG, Version 2, Release 3)
  • Physical access to the computer should be protected. Servers should be in either locked cabinets or rooms only accessible by authorized personnel. If workstations contain sensitive data, they should be located in an access-controlled area. (§ 3.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • All equipment and ancillary devices should be protected. Servers should be located in locked cabinets or rooms where only authorized personnel are permitted. If workstations contain sensitive information, they should be located in a controlled access area. (§ 3.1 (1.001), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • All equipment and ancillary devices should be protected. Servers should be located in locked cabinets or rooms where only authorized personnel are permitted. If workstations contain sensitive information, they should be located in a controlled-access area. (§ 3.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Wireless and WWAN devices should not be permitted in a SCIF. Wireless devices that have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3 are allowed. Verify users are trained on the appropriate security procedures for bringing wireless or WWAN devices into t… (§ 2 (WIR0180), § 4.2 (WIR0374), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Wireless PEDs should not be permitted in Sensitive Compartmented Information Facilities (SCIFs), unless they have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3. (§ 2.1 (WIR0180), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • The IAO will ensure wireless devices are not permitted in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs) unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Director Central Intelligence Directive (DCID) 6/9. (§ 2.1 (WIR0180), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • Wireless PEDs (Portable Electronic Devices) should not be permitted in a SCIF (Sensitive Compartmented Information Facility) unless they have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3. (§ 2.1 (WIR0180), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • The areas where access transactions are displayed and authorization data and personal identification data are stored, displayed, recorded, and/or inputted must be protected. The organization is required to prevent or detect unauthorized modification of hardware or software and the unauthorized acces… (§ 5-313, § 8-308, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. (§ 164.310(c), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The agency shall control physical access to Information System devices that display criminal justice information. (§ 5.9.1.5, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Desktop security—discuss use of screensavers, restricting visitors' view of information on screen (mitigating "shoulder surfing"), battery backup devices, allowed access to systems. (§ 5.2.1.3 ¶ 1(15), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall control physical access to information system devices that display CJI and shall position information system devices in such a way as to prevent unauthorized individuals from accessing and viewing CJI. (§ 5.9.1.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Implements physical and logical controls in the VoIP environment, evaluates options for backup systems, and considers control solutions specific to VoIP, such as VoIP-ready firewalls. (App A Objective 13:3o, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Physical, logical, and environmental controls. (App A Objective 14:2c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Desktop computing. (App A Objective 12:12 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Physical controls protect plastic cards, personal identification number (PIN) information, EFT equipment, and communication systems; (TIER II OBJECTIVES AND PROCEDURES E.2. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Security and control exist over ACH capture and transmission equipment; and (TIER II OBJECTIVES AND PROCEDURES E.3. Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Controls exist over the terminal used by the financial institution to access files at an external servicer's location, (TIER II OBJECTIVES AND PROCEDURES F.2. Bullet 4, FFIEC IT Examination Handbook - Audit, April 2012)
  • Exam Tier II Obj E.2 Determine whether audit procedures for payment systems risk adequately consider the risks in retail EFT (automatic teller machines, point-of-sale, debit cards, home banking, and other card-based systems including VISA/ Master Charge compliance). Evaluate whether ▪ Written proc… (Exam Tier II Obj E.2, Exam Tier II Obj E.3, FFIEC IT Examination Handbook - Audit, August 2003)
  • Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: ▪ Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechani… (Exam Tier II Obj 1.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 5.4, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • All critical and valuable equipment should contain bar codes and labels and be logged in an inventory. (Pg 21, Exam Tier II Obj E.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Evaluate the logical and physical security controls to ensure the availability and integrity of production retail payment systems applications. Determine: (App A Tier 2 Objectives and Procedures C.1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Ensuring appropriate controls over portable RDC-related equipment, such as computers and scanner equipment and software. (App A Tier 2 Objectives and Procedures N.7 Bullet 1 Sub-Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • All critical and valuable equipment should contain bar codes and labels and be logged in an inventory. (Exam Tier II Obj 3.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Determine the quality and effectiveness of the financial institution's wholesale payment systems management function. Consider: ▪ Data center and network controls over backbone networks and connectivity to counter parties. ▪ Departmental controls, including separation of duties and dual control … (Exam Tier I Obj 2.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]. (PE-3(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. (PE-3(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • The minimum protection standards for accessing Federal Tax Information (FTI) require going through two barriers under normal security. There are 3 physical protection combinations to choose from: secured perimeter/locked container, locked perimeter/secured interior, and locked perimeter/security con… (§ 4.2, § 5.6.17.1, Exhibit 6, § 5.6.17.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Has the Credit Union implemented physical access controls to the equipment and facilities that house data files and archives of sensitive member information? (IT - 748 Compliance Q 6b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the locations of assets analyzed to determine if its security is appropriate to the sensitivity of the information stored on the asset? (IT - Security Program Q 17, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the physical security policy include computing and non-computing assets? (IT - Security Program Q 18, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Analyze risks associated with a workstation's surroundings for possible negative impacts. (§ 4.11.3 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. (PE-3(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. (PE-3(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. (SC-7(14) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. (PE-3(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. (SC-7(14) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Access points should be located away from exterior walls and windows and near the center of rooms to help reduce the coverage area. (Table 8-2 Item 12, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Cryptographic modules shall use physical security mechanisms to restrict unauthorized access to the module's contents and to deter unauthorized modification or use when the module is installed. All software, hardware, firmware, and data components inside the cryptographic boundary shall be protected… (§ 4.5 ¶ 1, § 4.5 ¶ 2, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provid… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]. (PE-3(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Passwords should be used with care on operator interface devices such as control consoles on critical processes. Using passwords on these consoles could introduce potential safety issues if operators are locked out or delayed access during critical events. Physical security should supplement operato… (§ 6.2.7.1 ICS-specific Recommendations and Guidance ¶ 5 Bullet 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Prevention of unauthorized introduction of devices intentionally designed to cause hardware manipulation, communications eavesdropping, or other harmful impact. (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 1 Bullet 5, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The wireless security plan should include guidelines for protecting WLAN client devices from theft. (§ 6.1(WLAN client device security), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • If a firewall can be easily accessed by intruders or accidentally damaged, no matter what kind of defense they might provide, they're highly vulnerable. It is recommended that they be stored behind locked doors, or kept with guards and physical security alarms. (§ 4.6, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002)
  • Physical access to data and devices is managed. (PR.AC-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization should use hardware to deter unauthorized physical access to system devices. (SG.PE-3 Requirement Enhancements 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must establish and maintain access control for transmission medium policies and procedures to control physical access to system transmission and distribution lines within the facility. (App F § PE-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should detect or prevent physical tampering or alteration of hardware. (App F § PE-3(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Immediate operator interaction is critical for some Industrial Control Systems and local emergency actions cannot be hampered by identification or authentication requirements. For these systems, access may be restricted by physical security controls. (App I § IA-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization employs {organizationally documented security safeguards} to {detect} physical tampering or alteration of {organizationally documented hardware components} within the information system. (PE-3(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizationally documented security safeguards} to {prevent} physical tampering or alteration of {organizationally documented hardware components} within the information system. (PE-3(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]. (PE-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]. (PE-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. (SC-7(14) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. (PE-3(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. (SC-7(14) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. (PE-3(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. (SC-7(14) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Physical access to assets is managed, monitored, and enforced commensurate with risk (PR.AA-06, The NIST Cybersecurity Framework, v2.0)
  • The organization should have controls in place to limit access to all the system's assets. (§ II.C, OMB Circular A-123, Management's Responsibility for Internal Control)